Managing software legal compliance

In the age of open source and large-scale outsourcing, ascertaining the legal compliance of software is just as important as assuring the quality before pressing it into production.

FRAMINGHAM, 22 FEBRUARY 2010 - In the age of open source and large-scale outsourcing, ascertaining the legal compliance of software is just as important as assuring the quality before pressing it into production. Numerous legal cases have highlighted the business risks and enormous costs incurred when compliance is not done properly -- costs stemming from judicial procedures, recalls, fixing issues post-release and missed market opportunities.

Software is a pervasive element in most products and processes, and over time, its sources have multiplied. Sources include internal development, suppliers of sub-systems and chips, outsourced contractors, open source repositories and the previous work of the developers themselves. Unlike hardware, software is easily accessed, replicated, copied and re-used.

Open source software has become a significant player in most development, due to the wide availability of source code, its low cost and its high degree of stability and security. Open source code is generally free on the surface, but it's not without obligations. It comes laden with licensing and copyright conditions which are enforceable by law -- sometimes with dire effects for users who are not careful to validate the origin and any associated obligations of all software components in their products.

This doesn't mean that leveraging outsourcing and/or open source software is to be avoided. The issue is not with the use of open source, but with unmanaged adoption and lack of proper care to the copyright and licensing obligations it entails. It's paramount that you validate the IP cleanliness of your products and services and ascertain that they meet all legal obligations before they are employed.

Principle aspects of legal compliance

Assuring compliance to legal obligations implies the following three major aspects:

1. Definition of a corporate (or specific project) intellectual property policy which must be met by all associated products and services.

2. The auditing of software to determine all implied legal obligations as per associated intellectual property policy.

3. The necessary fixes -- legal or development intensive -- such that all software components meet said intellectual property policy.

The policy must be defined in accordance with both the business goals of the organization and its engineering processes. Therefore, it requires the involvement of business and engineering managers, as well as the proper legal counsel. The policy must be clear and enforceable. It should be captured for distribution and application within the development and quality-assurance departments.

From the perspective of an enterprise software buyer, all externally written software should be audited for compliance with the enterprise's intellectual property policy. If the software has been pre-audited by the supplier, then so much the better, but it's also important to consider the usage of the software at the enterprise level. Intellectual property obligations impact more than software content; it impacts downstream usage, and enterprises should be aware of potential compliance issues throughout the software food chain. Auditing and detection can be accomplished by automated tools or manual audits.